Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: fix refChecker when namespace is specified and is the same as route's namespace #5392

Merged
merged 5 commits into from
Jan 16, 2024

Conversation

pmalek
Copy link
Member

@pmalek pmalek commented Jan 2, 2024

What this PR does / why we need it:

When route has the same namespace specified as the backendref, then it should be allowed without a ReferenceGrant.

Additionally this PR adds Service lookup in backendRefsToKongStateBackends() to verify if the provided namespace exists.

The gist of this change is in internal/dataplane/translator/backendref.go. The rest is just adapting the tests basically.

Which issue this PR fixes:

Fixes: #5388

Special notes for your reviewer:

PR Readiness Checklist:

Complete these before marking the PR as ready to review:

  • the CHANGELOG.md release notes have been updated to reflect any significant (and particularly user-facing) changes introduced by this PR

@pmalek pmalek requested a review from a team as a code owner January 2, 2024 13:46
@pmalek pmalek added the area/gateway-api Relating to upstream Kubernetes SIG Networking Gateway API label Jan 2, 2024
@pmalek pmalek self-assigned this Jan 2, 2024
Copy link

codecov bot commented Jan 2, 2024

Codecov Report

Attention: 7 lines in your changes are missing coverage. Please review.

Comparison is base (b8b543c) 0.0% compared to head (6215568) 69.5%.
Report is 3 commits behind head on main.

Files Patch % Lines
internal/dataplane/translator/backendref.go 83.7% 5 Missing and 2 partials ⚠️
Additional details and impacted files
@@           Coverage Diff           @@
##           main   #5392      +/-   ##
=======================================
+ Coverage      0   69.5%   +69.5%     
=======================================
  Files         0     176     +176     
  Lines         0   22525   +22525     
=======================================
+ Hits          0   15673   +15673     
- Misses        0    5924    +5924     
- Partials      0     928     +928     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@pmalek
Copy link
Member Author

pmalek commented Jan 2, 2024

This needs to be updated to account for failing conformance test:

TestGatewayConformance/HTTPRouteInvalidNonExistentBackendRef/HTTP_Request_to_invalid_nonexistent_backend_receive_a_500 (30.00s)

Copy link
Contributor

@randmonkey randmonkey left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have checked the failing conformance test: TestGatewayConformance/HTTPRouteInvalidNonExistentBackendRef/HTTP_Request_to_invalid_nonexistent_backend_receive_a_500 . This test case specifies a backendRef with the same namespace of the HTTPRoute.
Before the change, we got 0 available backend services, but after the change we got a backend but with no upstreams. So we got 503 but not the expected 500.
We can see the following message in the output of conformance tests:

  http.go:238: Response expectation failed for request: {URL: {Scheme:http Opaque: User: Host:172.18.128.3 Path:/ RawPath: OmitHost:false ForceQuery:false RawQuery: Fragment: RawFragment:}, Host: , Protocol: HTTP, Method: GET, Headers: map[X-Echo-Set-Header:[]], UnfollowRedirect: false, Server: , CertPem: <truncated>, KeyPem: <truncated>}  not ready yet: expected status code to be 500, got 503 (after 17.04749077s)

@pmalek
Copy link
Member Author

pmalek commented Jan 8, 2024

I have checked the failing conformance test: TestGatewayConformance/HTTPRouteInvalidNonExistentBackendRef/HTTP_Request_to_invalid_nonexistent_backend_receive_a_500 . This test case specifies a backendRef with the same namespace of the HTTPRoute. Before the change, we got 0 available backend services, but after the change we got a backend but with no upstreams. So we got 503 but not the expected 500. We can see the following message in the output of conformance tests:

  http.go:238: Response expectation failed for request: {URL: {Scheme:http Opaque: User: Host:172.18.128.3 Path:/ RawPath: OmitHost:false ForceQuery:false RawQuery: Fragment: RawFragment:}, Host: , Protocol: HTTP, Method: GET, Headers: map[X-Echo-Set-Header:[]], UnfollowRedirect: false, Server: , CertPem: <truncated>, KeyPem: <truncated>}  not ready yet: expected status code to be 500, got 503 (after 17.04749077s)

Yes. In order to mitigate that we'd have to pass down a client of sorts (or something that could list namespaces) to either

func backendRefsToKongStateBackends(
or so that we ensure that the namespace pointed by the backendRef exists.

Unless there are other ideas that I haven't thought about 🤔

@pmalek
Copy link
Member Author

pmalek commented Jan 15, 2024

Yes it will. It's cross referenced above.

internal/dataplane/translator/backendref.go Outdated Show resolved Hide resolved
internal/dataplane/translator/backendref.go Show resolved Hide resolved
internal/dataplane/translator/backendref.go Outdated Show resolved Hide resolved
internal/dataplane/translator/backendref.go Outdated Show resolved Hide resolved
@pmalek pmalek requested a review from czeslavo January 16, 2024 10:53
@pmalek pmalek enabled auto-merge (squash) January 16, 2024 11:09
@pmalek pmalek merged commit af769ce into main Jan 16, 2024
37 checks passed
@pmalek pmalek deleted the fix-backendrefchecker branch January 16, 2024 11:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/gateway-api Relating to upstream Kubernetes SIG Networking Gateway API size/XL
Projects
None yet
4 participants